I was talking to a friend the other day about accessing donationcoder or other sites using SSL (https urls), and how many have a problem where they support ssl but some of the links on the site itself will redirect you to normal http links inadvertently, leading you back to non-secure connection.

It turns out that there are a couple of firefox extensions that can be used to force firefox to always use an https style ssl link on certain websites. That is, it will dynamic adjust all http links to be https (or vice versa) on sites you specify.

The easiest solution is to use the very powerful, actively developed, donation supported "noscript" extension. People who are paranoid about security tend to already have noscript installed so chances are if you care about forcing https you might already have noscript installed, and just not know about this feature.

For more instructions on how to configure noscript to force https, see for example this page.

If only DC had a SSL cert that didn't make firefox throw hissy fits...

If only firefox didn't throw hissy fits, extorting money out of people so they would buy ssl certificates

I tend to be the first to applaud security measures, but https is just broken.It is trying to serve 2 purposes, which should be separate things.

1) making sure you're talking to who you think you are talking to2) provide encryption

#1 is not possible without having certificate authority bodies (which right now, is a bussiness.) and i'm all for FF throwing hissy fits when you may be talking to an attacker.

However, when all you want is encryption, a self-signed cert is more than fine. The fact that anyone that wants to implement encryption without forking out the money for #1, gets harassed by web browsers, is deterring people from using and/or implementing encryption at all, which is a very very bad thing for security.

Perhaps self-signed certs should be allowed without hissy-fits, but there should be a clear visual distinction between self-signed and verified. Problem is that regular users would probably understand even less of that than they do now...

It's unfortunate that there's so many problems with SSL. But technical flaws aside, imho the biggest problem is the careless attitude of some of the CAs... apparently it's way too easy to do a bit of social engineering and get certs that you really shouldn't have.

PS: the security error says the cert is only valid for donationcoder.com - I assume that means it, technically, isn't valid for www.donationcoder.com ?

gothic has it right -- and this is one of those things that FF gets very wrong..to use a self-signed certificate in firefox, which should be a totally reasonable thing to do -- a user has to go through some pretty confusing steps that scare them every step of the way. this is a fail.

it wouldn't be so bad if the non-self-signed ssl certificate syndicate wasn't a giant money extortion racket. it's criminal how much proper wildcard ssl certificates cost.

there needs to be a way to register self-signed certificates so that they treated as trusted.. it wouldn't be so hard.. you'd just need to have someplace(s) trusted where the known owner of a site could provide a signature of the official certificate used on their site. there are so many easy ways to do this.. but i fear it's one of those things that is like free money to these companies.. they have a vested interest in basically blackmailing sites to buy these expensive certificates.

@mouser:During my "hunting" on the net some three years back, a promising free SSL CA was found. They were really upset by the money grabbing paws of every CA company. But their concept of free cert's for most purposes looked really interesting.

After reading the posts in this thread my memory woke up and went looking for them again. They are still alive and kicking (in Israel of all places). At the time they were busy getting themselves recognized and being included in the default list of CA's from browsers. Don't know how far they got with that nowadays, but maybe they are interesting enough for DonationCoder?

isn't there a way to change the default behaviour of FF to accept faulty certs? I have been wanting to change that, because right now I simply switch to Opera for these sites.

I also forgot how to set up a site as an exception to be accepted with a faulty cert. Could you tell us how to accomplish that? They made it really confusing and if you don't do it all the time the procedure is just forgotten.

Ummm... why would you accept faulty certs globally? Isn't that a pretty stupidly insecure thing to do? Do you really visit that many sites with self-signed certs that it's a nuisance to accept certificates per site? O_o

@lanux128:Thanks for your help. You know why I wasn't able to find it? My dpi, resolution, and font settings are a bit unusual, so the box never showed the "Add Exception" button, which is the one I was looking for. I only needed to expand the dialogue size and there it was tucked away on the far right corner !

@f0dder: It would be. Guess I was not clear: Not accept faulty certs globally, but allow to accept them with a confirmation click (i.e. old FF2 default behaviour is wanted here) instead of going through the rigamarole. But after I found again my "Add Exception" button, I guess that won't be necessary so much any more .

Thanks for your help. You know why I wasn't able to find it? My dpi, resolution, and font settings are a bit unusual, so the box never showed the "Add Exception" button, which is the one I was looking for. I only needed to expand the dialogue size and there it was tucked away on the far right corner

you're welcome.. it was quite of a procession for me too when i first went looking for it.

There is another FF extension which forces HTTPS and has the additional feature of setting SECURE cookies. The authors have a very good paper on their site explaining a lot of details of how to secure your site and your browser. The use of secure cookies in this process is very important.

and here are the changes I made to the .js file of the extension in the following folder location..\extensions\forcehttps@stanford.edu\defaults\preferences\forcehttps.js in order to connect to Donationcoder securely:

If anybody knows a simple way (i.e. not sniffing) of determining if a cookie has been set securely or not, I would appreciate if (s)he could share that information with me.

The use of Force HTTPS seems to be even more secure than noscript because of the secure cookie setting feature.

I have noscript permanently deactivated, because I think it is almost impossible (at least for my surfing habits) to browse the web without the use of java script. So it is too much of a nuisance for me . FF3.5 will hopefully make the possibility of cross scripting attacks more remote, FWIU.